CN102082666A - Single login system and method and service management system as well as single login intermediate system - Google Patents

Single login system and method and service management system as well as single login intermediate system Download PDF

Info

Publication number
CN102082666A
CN102082666A CN2009102415535A CN200910241553A CN102082666A CN 102082666 A CN102082666 A CN 102082666A CN 2009102415535 A CN2009102415535 A CN 2009102415535A CN 200910241553 A CN200910241553 A CN 200910241553A CN 102082666 A CN102082666 A CN 102082666A
Authority
CN
China
Prior art keywords
sign
user
user profile
business management
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2009102415535A
Other languages
Chinese (zh)
Other versions
CN102082666B (en
Inventor
王磊建
范晓晖
刘越
王磊
程亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN200910241553A priority Critical patent/CN102082666B/en
Publication of CN102082666A publication Critical patent/CN102082666A/en
Application granted granted Critical
Publication of CN102082666B publication Critical patent/CN102082666B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a single login system and method and a service management system as well as a single login intermediate system. The single login system comprises at least one service management system and at least one application system as well as a single login intermediate system. The service management system encrypts the user information of a user according to a first encryption key engaged with the single login intermediate system in advance and sends to the single login intermediate system, and the single login intermediate system encrypts the user information obtained through decryption according to a second encryption key agreed with application system to which the user requests to access and sends the encrypted user information to the application system which provides service for the user according to the user information obtained through decryption. The technical scheme provided by the invention is adopted to solve the problem of low efficiency of the application system for providing the user with services, which is caused by great system resources consumed by the encryption keys between the application system management and each service management system existing in the prior art.

Description

Single-node login system and method, business management system and single-sign-on intermediate system
Technical field
The present invention relates to communication technical field, particularly a kind of single-node login system and method, business management system and single-sign-on intermediate system.
Background technology
Usually each independently application system separately security system and authenticating user identification system all can be arranged, each application system of user capture all needs to login, not only there is very big difficulty in this in system management, at secure context major hidden danger is arranged also.In order to address the above problem, prior art has proposed single-sign-on (SSO, Single Sign On) technology, the user only need login once just can visit a plurality of application systems, for example when user access application system 1 first time, application system 1 guiding user login in the authentication ' unit 1 of self, authentication ' unit 1 is carried out authentication according to the log-on message that the user provides, if by authentication, then, this user is used in the authentication sign that ID authentication passes through for dividing, and the authentication that will distribute sign returns to this user, during user capture application system 2, send the authentication sign that authentication ' unit 1 are returned to application system 2, the authentication ' unit 2 that the authentication sign that application system 2 sends the user sends to self authenticates, authentication ' unit 2 based on the communicating by letter of authentication ' unit 1, legitimacy to the authentication sign authenticates, if by authentication, then this user does not just need to login once more, but direct access application system 2.
Under internet environment, usually a plurality of application systems that all business belonged to that the user is ordered are integrated in the business management system, as shown in Figure 1, i.e. business management system 11 corresponding a plurality of application systems 12, therefore single-node login system shown in Figure 1 can be called the one-to-many single-node login system, this single-node login system can be concentrated all business that order is provided to the user on business management system 11, with user-friendly.
As shown in Figure 2, for user in the prior art carries out the method flow diagram of single-sign-on based on one-to-many single-node login system shown in Figure 1, its concrete processing procedure is as follows:
Step 21, business management system are carried out authentication to this user after receiving the user ID and password of user's input;
Step 22, if business management system is passed through for authentication user's identity authentication result, then for this user distributes the authentication sign, the authentication that wherein distributes sign is corresponding with this user's user ID and service order information;
Step 23, if the user needs access application system 1, then this user clicks webpage (Web) link of application system 1 correspondence on business management system;
Step 24, business management system will send to application system 1 for the authentication sign that this user distributes;
Step 25, application system 1 basis is encrypted the authentication sign that receives with the encryption key that business management system is made an appointment, and the sign of the authentication after will encrypting sends to business management system;
Step 26, the business management system basis is decrypted the authentication sign that receives with the encryption key that application system 1 is made an appointment, and judges whether the authentication sign that obtains after the deciphering is the authentication sign of this business management system for user's distribution;
Step 27, if the judged result of step 26 is for being, then business management system is searched and this authentication identifies corresponding service ordering information in the corresponding relation of authentication sign, user ID and the service order information of storage;
Step 28, business management system sends to application system 1 with the service order information that finds;
Step 29, application system 1 is according to the service order information that receives, for this user provides corresponding service.
In above-mentioned processing procedure, in order to prevent network intercepting and assault, need business management system that the application system is carried out authentication operations, it is the operation of step 24~26, if the judged result of step 26 is for being, then business management system is that authentication is passed through to the application system to the authenticating result of application system 1, if the judged result of step 26 is not for, then business management system is that authentication is not passed through to the application system to the authenticating result of application system 1.
In actual use, also there is the single-node login system of multi-to-multi, as shown in Figure 3, promptly a plurality of business management system 31 corresponding a plurality of application systems 32.
In the multi-to-multi single-node login system, each application system is all corresponding with a plurality of business management systems, the user can be by a plurality of business management system access application system, the encryption key of all having made an appointment between each application system and each business management system this moment, if have N business management system in the multi-to-multi single-node login system, then application system is after receiving the authentication sign of each business management system transmission, in N encryption key of management, search the encryption key of this business management system correspondence, according to the encryption key that finds the authentication sign is encrypted then, that is to say that application system is providing outside the business for the user, also to manage and each business management system between encryption key, and the system resource of application system is limited, encryption key between management and each business management system has expended more system resources, and this just makes application system provide the efficient of business lower for the user.
Summary of the invention
The embodiment of the invention provides a kind of single-node login system and method, expend more system resources in order to solve the application system management that exists in the prior art with encryption key between each business management system, caused application system that the lower problem of efficient of business is provided for the user.
Accordingly, the embodiment of the invention also provides a kind of business management system and single-sign-on intermediate system.
Embodiment of the invention technical scheme is as follows:
A kind of single-node login system, comprise at least one business management system and at least one application system, also comprise the single-sign-on intermediate system, wherein: business management system, be used for after the access request message that receives user's transmission, determine this user's user profile, and according to first encryption key of making an appointment with the single-sign-on intermediate system, send to the single-sign-on intermediate system after this user's user profile is encrypted; The single-sign-on intermediate system, be used for the user profile that receives being decrypted according to described first encryption key, and determine that described user asks the application system of visiting, according to second encryption key of making an appointment with the application system of determining, the user profile that deciphering obtains is encrypted, and the user profile after will encrypting sends to the described application system of determining; Application system, after being used for according to described second encryption key user profile that receives being decrypted, the user profile that obtains according to deciphering provides professional for described user.
A kind of single-point logging method, the method comprising the steps of: business management system is determined this user's user profile after the access request message that receives user's transmission; And, send to the single-sign-on intermediate system after this user's user profile encrypted according to first encryption key of making an appointment with the single-sign-on intermediate system; Described single-sign-on intermediate system is decrypted the user profile that receives according to described first encryption key; And determine that described user asks the application system of visiting; And, the user profile that deciphering obtains is encrypted according to second encryption key of making an appointment with the application system of determining; And the user profile after will encrypting sends to the described application system of determining; After described application system was decrypted the user profile that receives according to described second encryption key, the user profile that obtains according to deciphering provided professional for described user.
A kind of business management system comprises: first receiving element is used to receive the access request message that the user sends; First determining unit is used for determining this user's user profile after first receiving element receives the access request message of user's transmission; Ciphering unit is used for according to first encryption key of making an appointment with the single-sign-on intermediate system user profile that first determining unit is determined being encrypted; First transmitting element is used for the user profile after the ciphering unit encryption is sent to the single-sign-on intermediate system.
A kind of single-sign-on intermediate system comprises: first receiving element is used to receive the user profile after the encryption that business management system sends; First decrypting device is used for according to first encryption key of making an appointment with described business management system, and the user profile that first receiving element is received is decrypted; First determining unit is used for determining that the user asks the application system of visiting; First ciphering unit is used for second encryption key of making an appointment according to the application system of determining with first determining unit, and the user profile that deciphering obtains to first decrypting device is encrypted; First transmitting element is used for the user profile after the encryption of first ciphering unit is sent to the described application system that first determining unit is determined.
In the embodiment of the invention technical scheme, single-node login system not only comprises at least one business management system and at least one application system, also comprise the single-sign-on intermediate system, wherein business management system is after the access request message that receives user's transmission, determine this user's user profile, and according to first encryption key of making an appointment with the single-sign-on intermediate system, send to the single-sign-on intermediate system after this user's user profile encrypted, the single-sign-on intermediate system is decrypted the user profile that receives according to above-mentioned first encryption key, and second encryption key of making an appointment according to the application system of asking to visit with the user, the user profile that deciphering obtains is encrypted, and the user profile after will encrypting sends to this application system, after this application system is decrypted the user profile that receives according to above-mentioned second encryption key, the user profile that obtains according to deciphering provides professional for above-mentioned user, this shows, the single-sign-on intermediate system is responsible for carrying out alternately with each business management system, obtain user's user profile, and each application system only need with the single-sign-on intermediate system encryption key of making an appointment, as long as this encryption key of management, this has just saved the system resource of application system, and having improved application system effectively provides professional efficient for the user.
Description of drawings
Fig. 1 is in the prior art, one-to-many single-node login system structural representation;
Fig. 2 is in the prior art, based on the single-point logging method schematic flow sheet of one-to-many single-node login system;
Fig. 3 is in the prior art, multi-to-multi single-node login system structural representation;
Fig. 4 is in the embodiment of the invention, the single-node login system structural representation;
Fig. 5 is in the embodiment of the invention, the single-point logging method schematic flow sheet;
Fig. 6 is in the embodiment of the invention, the business management system structural representation;
Fig. 7 is in the embodiment of the invention, single-sign-on intermediate system structural representation.
Embodiment
At length set forth to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach below in conjunction with each accompanying drawing.
As shown in Figure 4, be single-node login system structural representation in the embodiment of the invention, the single-node login system in the embodiment of the invention comprises at least one business management system 41, single-sign-on intermediate system 42 and at least one application system 43, wherein:
Business management system 41, be used for after the access request message that receives user's transmission, determine this user's user profile, and according to first encryption key of making an appointment with single-sign-on intermediate system 42, send to single-sign-on intermediate system 42 after this user's user profile is encrypted;
Single-sign-on intermediate system 42, be used for the user profile that receives being decrypted according to above-mentioned first encryption key, and definite user asks the application system 43 of visiting, according to second encryption key of making an appointment with the application system of determining 43, the user profile that deciphering obtains is encrypted, and the user profile after will encrypting sends to the application system of determining 43;
Application system 43, after being used for according to above-mentioned second encryption key user profile that receives being decrypted, the user profile that obtains according to deciphering provides professional for above-mentioned user.
By above-mentioned processing procedure as can be known, in the embodiment of the invention technical scheme, single-node login system not only comprises at least one business management system and at least one application system, also comprise the single-sign-on intermediate system, wherein business management system is after the access request message that receives user's transmission, determine this user's user profile, and according to first encryption key of making an appointment with the single-sign-on intermediate system, send to the single-sign-on intermediate system after this user's user profile encrypted, the single-sign-on intermediate system is decrypted the user profile that receives according to above-mentioned first encryption key, and second encryption key of making an appointment according to the application system of asking to visit with the user, the user profile that deciphering obtains is encrypted, and the user profile after will encrypting sends to this application system, after this application system is decrypted the user profile that receives according to above-mentioned second encryption key, the user profile that obtains according to deciphering provides professional for above-mentioned user, this shows, the single-sign-on intermediate system is responsible for carrying out alternately with each business management system, obtain user's user profile, and each application system only need with the single-sign-on intermediate system encryption key of making an appointment, as long as this encryption key of management, this has just saved the system resource of application system, and having improved application system effectively provides professional efficient for the user.
Based on single-node login system shown in Figure 4, the embodiment of the invention proposes a kind of single-point logging method, and as shown in Figure 5, its concrete processing procedure is as follows:
Step 51, business management system are determined this user's user profile after the access request message that receives user's transmission;
After the user sends to business management system with user ID and user cipher, business management system is in each user ID of storage, determine whether the user ID that exists the user to send, determine have the user ID that the user sends after, in the corresponding relation of user ID of storing and user cipher, search the corresponding user cipher of user ID that sends with the user, the user cipher that the user cipher that finds and user are sent compares, if than the result is consistent, then determine by authentication to this user.
If follow-up certain application system that needs in this single-node login system of visit of this user, then this user sends access request message to business management system, carry the user in this access request and ask the system banner of the application system of visiting, for example, business management system management application system 1, application system 2 and application system 3, the system banner that comprises application system 1 in the title of the Web link 1 that business management system provides, the system banner that comprises application system 2 in the title of the Web link 2 that business management system provides, the system banner that comprises application system 3 in the title of the Web link 3 that business management system provides, wherein the Web link 1, Web link 2 and Web link the address that 3 corresponding address are the single-sign-on intermediate system, the user is if need access application system 1, then this user can link 1 at the Web that business management system provides, in Web link 2 and the Web link 3, click Web link 1, promptly send the access request message of the system banner that comprises application system 1 to business management system, business management system determines that the user asks access application system 1.
If user's user profile is user totem information, and carry user's user totem information in the access request message that the user sends, then business management system can directly be determined user's user profile according to the access request message that receives.
Step 52, business management system be according to first encryption key of making an appointment with the single-sign-on intermediate system, sends to the single-sign-on intermediate system after this user's user profile is encrypted;
In the embodiment of the invention, the encryption key of all having made an appointment between each business management system and the single-sign-on intermediate system, business management system is after receiving access request message, can at first determine this user's user profile, then directly according to first encryption key of making an appointment with the single-sign-on intermediate system, send to the single-sign-on intermediate system after the user profile of determining encrypted;
In addition, business management system can also further be carried out authentication to the single-sign-on intermediate system before this user's user profile is encrypted, be specially:
Business management system is being determined by after the authentication to this user, for this user distributes the first authentication sign, follow-up after the access request message that receives this user's transmission, this first authentication sign is sent to the single-sign-on intermediate system, the single-sign-on intermediate system is according to first encryption key of making an appointment with this business management system, after the first authentication sign that receives encrypted, send to this business management system, this business management system is decrypted the first authentication sign that receives according to above-mentioned first encryption key, determine then whether consistent with the first authentication sign of distributing for this user first authentication that deciphering obtains identifies, if it is consistent, confirm that then the authenticating result to the single-sign-on intermediate system is that authentication is passed through, business management system sends to the single-sign-on intermediate system after according to first encryption key this user's user profile being encrypted so, if it is inconsistent, confirm that then the authenticating result to the single-sign-on intermediate system is that authentication is not passed through, then business management system can not passed through message to this single-sign-on intermediate system transmission authentication.
Wherein, if business management system also will be carried out authentication to the single-sign-on intermediate system before according to first encryption key user profile being encrypted, then determine the user user profile process can but be not limited to following:
At first the first authentication sign that obtains according to deciphering in the corresponding relation of the first authentication sign and user profile, is searched this user's user profile, according to first encryption key, the user profile that finds is encrypted.
Wherein business management system can but be not limited to the first authentication sign is carried in HTML (Hypertext Markup Language) (HTTP, the Hypertext Transfer Protocol) message and send to the single-sign-on intermediate system.For example, business management system is designated token1 for first authentication that the user distributes, and the Web of single-sign-on intermediate system correspondence is linked as Http: //www.abc.com, then business management system can with Http: //www.abc.comThe form of token1=xxxxxx sends to the single-sign-on intermediate system with token1, the single-sign-on intermediate system is after receiving this HTTP message, the first authentication sign after will encrypting in the mode of http response message sends to this business management system, this business management system also can determine deciphering first authentication sign that obtains and first authentication that distributes for this user identify consistent after, the user profile after the encryption is sent to the single-sign-on intermediate system in the mode of http response message.
Step 53, the single-sign-on intermediate system is decrypted the user profile that receives according to above-mentioned first encryption key;
Step 54, single-sign-on intermediate system determine that above-mentioned user asks the application system of visiting;
The single-sign-on intermediate system is after being decrypted the user profile that receives, need to determine that the user asks the application system of visiting, user profile could be sent to this application system like this, wherein in the embodiment of the invention, the single-sign-on intermediate system determines that the application system that the user asks to visit can be following two kinds of performances, is specially:
First kind of performance, business management system sends the system banner that carries in the access request message to the single-sign-on intermediate system, the single-sign-on intermediate system is according to the system banner that receives, determine that this user asks the application system of visiting, for example, the system banner of application system 1 correspondence is " 1 ", then this HTTP message can for: Http: //www.abc.comID=1, business management system can but be not limited to system banner and the first authentication sign be carried at together and send to the single-sign-on intermediate system in the HTTP message, then this HTTP message can for: Http: //www.abc.comToken1=xxxxxx? ID=1, business management system also can send to the single-sign-on intermediate system separately with system banner, can also can send after the first authentication identification information before sending first identification information;
Second kind of performance, business management system is according to the system banner that receives, in system banner and single-sign-on intermediate system in the corresponding relation of the port-mark of receiving port, the system banner corresponding port sign of searching and receiving, user profile after business management system will be encrypted then, the port-mark corresponding port that sends to and find, the single-sign-on intermediate system determines to receive the port corresponding port sign of user profile, then according to the port-mark of determining, in the corresponding relation of port-mark and system banner, search the system banner corresponding with the port-mark of determining, according to the system banner that finds, determine that the user asks the application system of visiting.
At above-mentioned second kind of performance, the port-mark of a receiving port of the equal corresponding single-sign-on intermediate system of the system banner of each application system, wherein this corresponding relation can but be not limited to as shown in the table:
Figure B2009102415535D0000091
In addition, business management system is when sending the first authentication sign, also can send in the port-mark corresponding port that finds, the single-sign-on intermediate system just can determine that the user asks the application system of visiting according to the receiving port corresponding port sign that receives the first authentication sign so.
Step 55 according to second encryption key of making an appointment with the application system of determining, is encrypted the user profile that deciphering obtains;
In the embodiment of the invention, the single-sign-on intermediate system is before encrypting user's user profile, and the application system that can also further ask to visit to the user is carried out authentication, is specially:
The single-sign-on intermediate system distributes the second authentication sign for this user, the second authentication sign that to distribute then sends to the application system of determining, this application system is according to second encryption key of making an appointment with the single-sign-on intermediate system, after the second authentication sign that receives encrypted, send to the single-sign-on intermediate system, the single-sign-on intermediate system is decrypted the second authentication sign that receives according to second encryption key, determine then second authentication that deciphering obtains identifies whether consistent with the second authentication sign of distributing for above-mentioned user, if it is consistent, confirm that then the authenticating result to this application system is that authentication is passed through, the single-sign-on intermediate system sends to this application system after according to second encryption key this user's user profile being encrypted so, if it is inconsistent, confirm that then the authenticating result to this application system is that authentication is not passed through, then the single-sign-on intermediate system can not pass through message to this application system transmission authentication.
Step 56, the user profile after the single-sign-on intermediate system will be encrypted sends to above-mentioned application system;
After step 57, above-mentioned application system were decrypted the user profile that receives according to second encryption key, the user profile that obtains according to deciphering provided professional for above-mentioned user.
In the embodiment of the invention, the encryption key of all having made an appointment between each application system in the single-node login system and the single-sign-on intermediate system, each application system only need be managed this encryption key and be got final product, application system is after the user profile after the encryption that receives the transmission of single-sign-on intermediate system, encryption key according to making an appointment with single-sign-on is decrypted the user profile that receives.
Wherein the user profile in the embodiment of the invention can be user totem information, also can be user's service order information, can also be user totem information and user's service order information.
If the user profile that application system receives is user's service order information, be that the service order information stores is in business management system, because the business that service order information has indicated the user to order, this application system can be directly according to the service order information that obtains after the deciphering so, determine the business that this user has ordered, further determine the business that need provide for this user, and the business that will determine offers this user.
If the user profile that application system receives is user totem information, be that the service order information stores is in application system, the user totem information that obtains according to deciphering of this application system then, in the corresponding relation of user totem information of storing and service order information, search this user's service order information,, determine the business that this user has ordered according to the service order information that finds, further determine the business that need provide for this user, and the business that will determine offers this user.
Because in the existing single-point logging method, application system need be kept a plurality of encryption keys with a plurality of business management systems, and a plurality of business management systems are to be distributed in different places on the geographical position, so application system will keep the synchronous of encryption key with mode under the line and a plurality of business management system, this just makes application system very inconvenient in management, in the single-point logging method that the embodiment of the invention proposes, the encryption key that application system only need be kept with the single-sign-on intermediate system gets final product, and this has just improved the convenience of application system management effectively.
The embodiment of the invention proposes a kind of business management system, as shown in Figure 6, comprises first receiving element 61, first determining unit 62, ciphering unit 63 and first transmitting element 64, wherein:
First receiving element 61 is used to receive the access request message that the user sends;
First determining unit 62 is used for determining this user's user profile after first receiving element 61 receives the access request message of user's transmission;
Ciphering unit 63 is used for according to first encryption key of making an appointment with the single-sign-on intermediate system user profile that first determining unit 62 is determined being encrypted;
First transmitting element 64 is used for the user profile after ciphering unit 63 encryptions is sent to the single-sign-on intermediate system.
Preferably, above-mentioned business management system also comprises allocation units, second transmitting element, second receiving element, decrypting device and second determining unit, wherein:
Allocation units are used to this user to distribute the first authentication sign;
Second transmitting element is used for before 63 pairs of user profile of ciphering unit are encrypted, and the first authentication sign that allocation units are distributed sends to the single-sign-on intermediate system;
Second receiving element is used to receive the first authentication sign after the encryption that the single-sign-on intermediate system sends;
Decrypting device is used for according to first encryption key of making an appointment with above-mentioned business management system, and the first authentication sign that second receiving element is received is decrypted;
Second determining unit is used for determining that first authentication that the decrypting device deciphering obtains identifies consistent for the first authentication sign that this user distributes with allocation units.
More preferably, first determining unit 62, the first authentication sign that deciphering obtains according to decrypting device in the corresponding relation of the first authentication sign and user profile, is searched this user's user profile.
Preferably, carry the system banner that this user asks the application system of visiting in the access request message that first receiving element 61 receives.
More preferably, above-mentioned business management system also comprises the 3rd transmitting element, is used for the system banner that first receiving element 61 receives is sent to the single-sign-on intermediate system.
More preferably, first transmitting element 64 specifically comprises searches module and sending module, wherein:
Search module, be used for the system banner that receives according to first receiving element 61, in system banner and single-sign-on intermediate system in the corresponding relation of the port-mark of receiving port, the system banner corresponding port sign of searching and receiving;
Sending module is used for the user profile after ciphering unit 63 encryptions is sent to and search the port-mark corresponding port that module searches arrives.
The embodiment of the invention proposes a kind of single-sign-on intermediate system, as shown in Figure 7, comprises first receiving element 71, first decrypting device 72, first determining unit 73, first ciphering unit 74 and first transmitting element 75, wherein:
First receiving element 71 is used to receive the user profile after the encryption that business management system sends;
First decrypting device 72 is used for according to first encryption key of making an appointment with above-mentioned business management system, and the user profile that first receiving element 71 is received is decrypted;
First determining unit 73 is used for determining that the user asks the application system of visiting;
First ciphering unit 74 is used for second encryption key of making an appointment according to the application system of determining with first determining unit 73, and the user profile that 72 deciphering obtain to first decrypting device is encrypted;
First transmitting element 75 is used for the user profile after 74 encryptions of first ciphering unit is sent to the application system that first determining unit 73 is determined.
Preferably, above-mentioned single-sign-on intermediate system also comprises second receiving element and second ciphering unit, wherein:
Second receiving element is used to receive the first authentication sign that business management system sends;
Second ciphering unit is used for according to first encryption key of making an appointment with above-mentioned business management system, after the first authentication sign that receives is encrypted, sends to above-mentioned business management system.
Preferably, above-mentioned single-sign-on intermediate system also comprises allocation units, second transmitting element, the 3rd receiving element, second decrypting device and second determining unit, wherein:
Allocation units are before being used for user profile that first ciphering unit obtains first decrypting device deciphering and encrypting, for this user distributes the second authentication sign;
Second transmitting element is used for the second authentication sign that allocation units distribute is sent to the application system that first determining unit 73 is determined;
The 3rd receiving element is used to receive the second authentication sign after the encryption that this application system sends;
Second decrypting device is used for according to second encryption key of making an appointment with this application system, and the second authentication sign that the 3rd receiving element is received is decrypted;
Second determining unit is used for determining that second authentication that the deciphering of second decrypting device obtains identifies consistent for the second authentication sign that this user distributes with allocation units.
Preferably, first determining unit 73 specifically comprises the receiver module and first determination module, wherein:
Receiver module is used to receive the system banner that above-mentioned business management system sends;
First determination module is used for the system banner that receives according to receiver module, determines that the user asks the application system of visiting.
Preferably, first determining unit 73 specifically comprises second determination module, searches module and the 3rd determination module, wherein:
Second determination module is used for determining that first receiving element 71 receives the port corresponding port sign of above-mentioned user profile;
Search module, be used for the port-mark determined according to second determination module, in the corresponding relation of port-mark and system banner, search the system banner corresponding with the port-mark of determining;
The 3rd determination module is used for determining that according to searching the system banner that module searches arrives this user asks the application system of visiting.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (21)

1. a single-node login system comprises at least one business management system and at least one application system, it is characterized in that, also comprises the single-sign-on intermediate system, wherein:
Business management system, be used for after the access request message that receives user's transmission, determine this user's user profile, and according to first encryption key of making an appointment with the single-sign-on intermediate system, send to the single-sign-on intermediate system after this user's user profile is encrypted;
The single-sign-on intermediate system, be used for the user profile that receives being decrypted according to described first encryption key, and determine that described user asks the application system of visiting, according to second encryption key of making an appointment with the application system of determining, the user profile that deciphering obtains is encrypted, and the user profile after will encrypting sends to the described application system of determining;
Application system, after being used for according to described second encryption key user profile that receives being decrypted, the user profile that obtains according to deciphering provides professional for described user.
2. a single-point logging method is characterized in that, comprising:
Business management system is determined this user's user profile after the access request message that receives user's transmission; And
According to first encryption key of making an appointment with the single-sign-on intermediate system, send to the single-sign-on intermediate system after this user's user profile encrypted;
Described single-sign-on intermediate system is decrypted the user profile that receives according to described first encryption key; And
Determine that described user asks the application system of visiting; And
According to second encryption key of making an appointment with the application system of determining, the user profile that deciphering obtains is encrypted; And
User profile after encrypting is sent to the described application system of determining;
After described application system was decrypted the user profile that receives according to described second encryption key, the user profile that obtains according to deciphering provided professional for described user.
3. single-point logging method as claimed in claim 2 is characterized in that, business management system also comprises before this user's user profile is encrypted:
Business management system will send to the single-sign-on intermediate system for the first authentication sign that this user distributes;
The single-sign-on intermediate system is according to first encryption key of making an appointment with described business management system, after the first authentication sign that receives is encrypted, sends to described business management system;
Business management system is decrypted the first authentication sign that receives according to described first encryption key; And
The first authentication sign that definite deciphering obtains is consistent with the first authentication sign of distributing for described user.
4. single-point logging method as claimed in claim 3 is characterized in that, business management system is determined this user's user profile, is specially:
The first authentication sign that business management system obtains according to deciphering in the corresponding relation of the first authentication sign and user profile, is searched this user's user profile.
5. single-point logging method as claimed in claim 2 is characterized in that, the single-sign-on intermediate system also comprises before the user profile that deciphering is obtained is encrypted:
The single-sign-on intermediate system will send to the application system of determining for the second authentication sign that this user distributes;
Described application system is according to second encryption key of making an appointment with described single-sign-on intermediate system, after the second authentication sign that receives is encrypted, sends to described single-sign-on intermediate system;
Described single-sign-on intermediate system is decrypted the second authentication sign that receives according to described second encryption key; And
The second authentication sign that definite deciphering obtains is consistent with the second authentication sign of distributing for described user.
6. single-point logging method as claimed in claim 2 is characterized in that, carries the system banner that described user asks the application system of visiting in the access request message that business management system receives.
7. single-point logging method as claimed in claim 6 is characterized in that, described single-sign-on intermediate system determines that described user asks the application system of visiting, and specifically comprises:
Described single-sign-on intermediate system receives the system banner that described business management system sends; And
According to the system banner that receives, determine that described user asks the application system of visiting.
8. single-point logging method as claimed in claim 6 is characterized in that, the user profile after business management system will be encrypted sends to the single-sign-on intermediate system, specifically comprises:
Business management system is according to the system banner that receives, and in the corresponding relation of the port-mark of receiving port, the system banner corresponding port of searching and receiving identifies in system banner and single-sign-on intermediate system; And
With the user profile after encrypting, the port-mark corresponding port that sends to and find;
Described single-sign-on intermediate system determines that described user asks the application system of visiting, and specifically comprises:
Described single-sign-on intermediate system determines to receive the port corresponding port sign of user profile;
According to the port-mark of determining, in the corresponding relation of port-mark and system banner, search the system banner corresponding with the port-mark of determining; And
According to the system banner that finds, determine that described user asks the application system of visiting.
9. single-point logging method as claimed in claim 2 is characterized in that, described user profile is user totem information and/or user's service order information.
10. single-point logging method as claimed in claim 9 is characterized in that, if described user profile is user totem information, the user profile that then described application system obtains according to deciphering specifically comprises for described user provides professional:
The user totem information that described application system obtains according to deciphering in the corresponding relation of user totem information of storing and service order information, is searched described user's service order information; And
According to the service order information that finds, determine the business that need provide for described user; And
The business of determining is offered described user.
11. a business management system is characterized in that, comprising:
First receiving element is used to receive the access request message that the user sends;
First determining unit is used for determining this user's user profile after first receiving element receives the access request message of user's transmission;
Ciphering unit is used for according to first encryption key of making an appointment with the single-sign-on intermediate system user profile that first determining unit is determined being encrypted;
First transmitting element is used for the user profile after the ciphering unit encryption is sent to the single-sign-on intermediate system.
12. business management system as claimed in claim 11 is characterized in that, also comprises:
Allocation units are used to this user to distribute the first authentication sign;
Second transmitting element is used for before first ciphering unit is encrypted user profile, and the first authentication sign that allocation units are distributed sends to the single-sign-on intermediate system;
Second receiving element is used to receive the first authentication sign after the encryption that the single-sign-on intermediate system sends;
Decrypting device is used for according to first encryption key of making an appointment with described business management system, and the first authentication sign that second receiving element is received is decrypted;
Second determining unit is used for determining that first authentication that the decrypting device deciphering obtains identifies consistent with the first authentication sign of distributing for described user.
13. business management system as claimed in claim 12 is characterized in that, first determining unit, the first authentication sign that deciphering obtains according to decrypting device in the corresponding relation of the first authentication sign and user profile, is searched this user's user profile.
14. business management system as claimed in claim 11 is characterized in that, carries the system banner that described user asks the application system of visiting in the access request message that first receiving element receives.
15. business management system as claimed in claim 14 is characterized in that, also comprises:
The 3rd transmitting element is used for the system banner that first receiving element receives is sent to the single-sign-on intermediate system.
16. business management system as claimed in claim 14 is characterized in that, first transmitting element specifically comprises:
Search module, be used for the system banner that receives according to first receiving element, in system banner and single-sign-on intermediate system in the corresponding relation of the port-mark of receiving port, the system banner corresponding port sign of searching and receiving;
Sending module is used for the user profile after the ciphering unit encryption is sent to and search the port-mark corresponding port that module searches arrives.
17. a single-sign-on intermediate system is characterized in that, comprising:
First receiving element is used to receive the user profile after the encryption that business management system sends;
First decrypting device is used for according to first encryption key of making an appointment with described business management system, and the user profile that first receiving element is received is decrypted;
First determining unit is used for determining that the user asks the application system of visiting;
First ciphering unit is used for second encryption key of making an appointment according to the application system of determining with first determining unit, and the user profile that deciphering obtains to first decrypting device is encrypted;
First transmitting element is used for the user profile after the encryption of first ciphering unit is sent to the described application system that first determining unit is determined.
18. single-sign-on intermediate system as claimed in claim 17 is characterized in that, also comprises:
Second receiving element is used to receive the first authentication sign that business management system sends;
Second ciphering unit is used for according to first encryption key of making an appointment with described business management system, after the first authentication sign that receives is encrypted, sends to described business management system.
19. single-sign-on intermediate system as claimed in claim 17 is characterized in that, also comprises:
Allocation units are before being used for user profile that first ciphering unit obtains first decrypting device deciphering and encrypting, for this user distributes the second authentication sign;
Second transmitting element is used for the second authentication sign that allocation units distribute is sent to the application system that first determining unit is determined;
The 3rd receiving element is used to receive the second authentication sign after the encryption that described application system sends;
Second decrypting device is used for according to second encryption key of making an appointment with described application system, and the second authentication sign that the 3rd receiving element is received is decrypted;
Second determining unit is used for determining that it is that second authentication that described user distributes identifies consistent with allocation units that second decrypting device is deciphered the second authentication sign that obtains.
20. single-sign-on intermediate system as claimed in claim 17 is characterized in that, first determining unit specifically comprises:
Receiver module is used to receive the system banner that described business management system sends;
First determination module is used for the system banner that receives according to receiver module, determines that the user asks the application system of visiting.
21. single-sign-on intermediate system as claimed in claim 17 is characterized in that, first determining unit specifically comprises:
Second determination module is used for determining that first receiving element receives the port corresponding port sign of described user profile;
Search module, be used for the port-mark determined according to second determination module, in the corresponding relation of port-mark and system banner, search the system banner corresponding with the port-mark of determining;
The 3rd determination module is used for determining that according to searching the system banner that module searches arrives described user asks the application system of visiting.
CN200910241553A 2009-11-26 2009-11-26 Single login system and method and service management system as well as single login intermediate system Expired - Fee Related CN102082666B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910241553A CN102082666B (en) 2009-11-26 2009-11-26 Single login system and method and service management system as well as single login intermediate system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910241553A CN102082666B (en) 2009-11-26 2009-11-26 Single login system and method and service management system as well as single login intermediate system

Publications (2)

Publication Number Publication Date
CN102082666A true CN102082666A (en) 2011-06-01
CN102082666B CN102082666B (en) 2012-10-03

Family

ID=44088425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910241553A Expired - Fee Related CN102082666B (en) 2009-11-26 2009-11-26 Single login system and method and service management system as well as single login intermediate system

Country Status (1)

Country Link
CN (1) CN102082666B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065616A (en) * 2013-03-20 2014-09-24 中国移动通信集团公司 Single sign-on method and system
CN104320394A (en) * 2014-10-24 2015-01-28 华迪计算机集团有限公司 Single sign-on achievement method and system
CN104599111A (en) * 2015-02-11 2015-05-06 中国农业银行股份有限公司 Business management method and device
CN107040918A (en) * 2016-02-03 2017-08-11 上海方付通商务服务有限公司 It is a kind of to apply safe Enhancement Method, system and the client with the system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1323508C (en) * 2003-12-17 2007-06-27 上海市高级人民法院 A Single Sign On method based on digital certificate
CN1812403A (en) * 2005-01-28 2006-08-02 广东省电信有限公司科学技术研究院 Single-point logging method for realizing identification across management field

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065616A (en) * 2013-03-20 2014-09-24 中国移动通信集团公司 Single sign-on method and system
CN104065616B (en) * 2013-03-20 2017-06-20 中国移动通信集团公司 Single-point logging method and system
CN104320394A (en) * 2014-10-24 2015-01-28 华迪计算机集团有限公司 Single sign-on achievement method and system
CN104599111A (en) * 2015-02-11 2015-05-06 中国农业银行股份有限公司 Business management method and device
CN107040918A (en) * 2016-02-03 2017-08-11 上海方付通商务服务有限公司 It is a kind of to apply safe Enhancement Method, system and the client with the system
CN107040918B (en) * 2016-02-03 2021-03-09 上海方付通商务服务有限公司 Application security enhancement method and system and client with system

Also Published As

Publication number Publication date
CN102082666B (en) 2012-10-03

Similar Documents

Publication Publication Date Title
US8484480B2 (en) Transmitting information using virtual input layout
US11134069B2 (en) Method for authorizing access and apparatus using the method
US8527748B2 (en) System and method for hosting encrypted monitoring data
US20070101145A1 (en) Framework for obtaining cryptographically signed consent
US20120254622A1 (en) Secure Access to Electronic Devices
CN101772024B (en) User identification method, device and system
EP2475194B1 (en) Service access method, system and device based on wlan access authentication
CN101405759A (en) Method and apparatus for user centric private data management
US7472123B2 (en) Server device, communication device, and program for managing contents usage
CN102377788A (en) Single sign-on (SSO) system and single sign-on (SSO) method
EP1548614B1 (en) Storage service
CN102209046A (en) Network resource integration system and method
CN102263784A (en) SSO (signal sign on) method and system
CN102082666B (en) Single login system and method and service management system as well as single login intermediate system
US10412057B2 (en) Service access method and system, and apparatus
US20230299973A1 (en) Service registration method and device
CN106031097A (en) Service processing method and device
CN101198015B (en) Digital television authentication system and encryption method thereof
KR20010025938A (en) Security mail system using encryption/authentication technology in internet
CN102714653A (en) System and method for accessing private digital content
KR101880999B1 (en) End to end data encrypting system in internet of things network and method of encrypting data using the same
CN110035061A (en) Trust server information processing method and system
JP5178128B2 (en) Communications system
JP2005108153A (en) Information service system for vehicle
EP1641214B1 (en) End-to-end secure data transmission system through a third party infrastructure

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121003

Termination date: 20211126

CF01 Termination of patent right due to non-payment of annual fee